<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Method Security :: Spring Security</title>
<link rel="canonical" href="../../../../servlet/appendix/namespace/method-security.html">
<link rel="prev" href="http.html">
<link rel="next" href="ldap.html">
<meta name="generator" content="Antora 3.0.0">
<link rel="stylesheet" href="../../../../_/css/site.css">
<link href="../../../../_/img/favicon.ico" rel='shortcut icon' type='image/vnd.microsoft.icon'>
<link rel="stylesheet" href="../../../../_/css/vendor/docsearch.min.css">

<script>var uiRootPath = '../../../../_'</script>
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<a class="navbar-item" href="https://spring.io">
<img id="springlogo" class="block" src="../../../../_/img/spring-logo.svg" alt="Spring">
</a>
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="method-security.html#">Why Spring</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/why-spring">Overview</a>
<a class="navbar-item" href="https://spring.io/microservices">Microservices</a>
<a class="navbar-item" href="https://spring.io/reactive">Reactive</a>
<a class="navbar-item" href="https://spring.io/event-driven">Event Driven</a>
<a class="navbar-item" href="https://spring.io/cloud">Cloud</a>
<a class="navbar-item" href="https://spring.io/web-applications">Web Applications</a>
<a class="navbar-item" href="https://spring.io/serverless">Serverless</a>
<a class="navbar-item" href="https://spring.io/batch">Batch</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="method-security.html#">Learn</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/learn">Overview</a>
<a class="navbar-item" href="https://spring.io/quickstart">Quickstart</a>
<a class="navbar-item" href="https://spring.io/guides">Guides</a>
<a class="navbar-item" href="https://spring.io/blog">Blog</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="method-security.html#">Projects</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/projects">Overview</a>
<a class="navbar-item" href="https://spring.io/projects/spring-boot">Spring Boot</a>
<a class="navbar-item" href="https://spring.io/projects/spring-framework">Spring Framework</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud">Spring Cloud</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud-dataflow">Spring Cloud Data Flow</a>
<a class="navbar-item" href="https://spring.io/projects/spring-data">Spring Data</a>
<a class="navbar-item" href="https://spring.io/projects/spring-integration">Spring Integration</a>
<a class="navbar-item" href="https://spring.io/projects/spring-batch">Spring Batch</a>
<a class="navbar-item" href="https://spring.io/projects/spring-security">Spring Security</a>
<a class="navbar-item navbar-item-special" href="https://spring.io/projects">View all projects</a>
<a class="navbar-item" href="https://spring.io/tools">Spring Tools 4</a>
<a class="navbar-item navbar-item-special-2" href="https://start.spring.io">Spring Initializr <svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><polyline points="15 10.94 15 15 1 15 1 1 5.06 1" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><polyline points="8.93 1 15 1 15 7.07" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><line x1="15" y1="1" x2="8" y2="8" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></line></svg></a>
</div>
</div>
<a class="navbar-item" href="https://spring.io/training">Training</a>
<a class="navbar-item" href="https://spring.io/support">Support</a>
<div class="navbar-item has-dropdown is-hoverable is-community">
<a class="navbar-link" href="method-security.html#">Community</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/community">Overview</a>
<a class="navbar-item" href="https://spring.io/events">Events</a>
<a class="navbar-item" href="https://spring.io/team">Team</a>
</div>
</div>
</div>
</div>
<div id="switch-theme">
<input type="checkbox" id="switch-theme-checkbox" />
<label for="switch-theme-checkbox">Dark Theme</label>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="ROOT" data-version="5.6.1">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../../../index.html">Spring Security</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../index.html">Overview</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../prerequisites.html">Prerequisites</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../community.html">Community</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../whats-new.html">What&#8217;s New</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../getting-spring-security.html">Getting Spring Security</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../features/index.html">Features</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../features/authentication/index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/authentication/password-storage.html">Password Storage</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../features/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/exploits/headers.html">HTTP Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../features/integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/integrations/cryptography.html">Cryptography</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/integrations/concurrency.html">Java&#8217;s Concurrency APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../features/integrations/localization.html">Localization</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../modules.html">Project Modules</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../../samples.html">Samples</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../index.html">Servlet Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../getting-started.html">Getting Started</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../architecture.html">Architecture</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../authentication/index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/architecture.html">Authentication Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../authentication/passwords/index.html">Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../authentication/passwords/input.html">Reading Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/form.html">Form</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/basic.html">Basic</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/digest.html">Digest</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../authentication/passwords/storage.html">Password Storage</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/in-memory.html">In Memory</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/jdbc.html">JDBC</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/user-details.html">UserDetails</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/user-details-service.html">UserDetailsService</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/password-encoder.html">PasswordEncoder</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/dao-authentication-provider.html">DaoAuthenticationProvider</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="../../authentication/passwords/ldap.html">LDAP</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/session-management.html">Session Management</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/rememberme.html">Remember Me</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/openid.html">OpenID</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/anonymous.html">Anonymous</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/preauth.html">Pre-Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/jaas.html">JAAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/cas.html">CAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/x509.html">X509</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/runas.html">Run-As</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/logout.html">Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authentication/events.html">Authentication Events</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../authorization/index.html">Authorization</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/architecture.html">Authorization Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/authorize-http-requests.html">Authorize HTTP Requests</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/authorize-requests.html">Authorize HTTP Requests with FilterSecurityInterceptor</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/expression-based.html">Expression-Based Access Control</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/secure-objects.html">Secure Object Implementations</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../authorization/acls.html">Domain Object Security ACLs</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../saml2/index.html">SAML2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../saml2/login/index.html">SAML2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../saml2/login/overview.html">SAML2 Log In Overview</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../saml2/login/authentication-requests.html">SAML2 Authentication Requests</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../saml2/login/authentication.html">SAML2 Authentication Responses</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../saml2/logout.html">SAML2 Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../saml2/metadata.html">SAML2 Metadata</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../exploits/csrf.html">Cross Site Request Forgery (CSRF) for Servlet Environments</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../exploits/headers.html">Security HTTP Response Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../exploits/http.html">HTTP</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../exploits/firewall.html">HttpFirewall</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/concurrency.html">Concurrency</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/localization.html">Localization</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/servlet-api.html">Servlet APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/mvc.html">Spring MVC</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/websocket.html">WebSocket</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/cors.html">Spring&#8217;s CORS Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../integrations/jsp-taglibs.html">JSP Taglib</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Configuration</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../configuration/java.html">Java Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../configuration/kotlin.html">Kotlin Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../configuration/xml-namespace.html">Namespace Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/method.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/mockmvc/index.html">MockMvc Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/mockmvc/setup.html">MockMvc Setup</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../test/mockmvc/request-post-processors.html">Security RequestPostProcessors</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/authentication.html">Mocking Users</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/csrf.html">Mocking CSRF</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/form-login.html">Mocking Form Login</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/http-basic.html">Mocking HTTP Basic</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/oauth2.html">Mocking OAuth2</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../test/mockmvc/logout.html">Mocking Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/mockmvc/request-builders.html">Security RequestBuilders</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/mockmvc/result-matchers.html">Security ResultMatchers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../test/mockmvc/result-handlers.html">Security ResultHandlers</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../index.html">Appendix</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../database-schema.html">Database Schemas</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="index.html">XML Namespace</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="authentication-manager.html">Authentication Services</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="http.html">Web Security</a>
</li>
<li class="nav-item is-current-page" data-depth="4">
<a class="nav-link" href="method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="ldap.html">LDAP Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="websocket.html">WebSocket Security</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../faq.html">FAQ</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/index.html">Reactive Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../../reactive/getting-started.html">Getting Started</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authentication</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/authentication/x509.html">X.509 Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/authentication/logout.html">Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authorization</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/authorization/method.html">EnableReactiveMethodSecurity</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/exploits/headers.html">Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Integrations</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/integrations/cors.html">CORS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/integrations/rsocket.html">RSocket</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../../reactive/test/method.html">Testing Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../../reactive/test/web/index.html">Testing Web Security</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/test/web/setup.html">WebTestClient Setup</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/test/web/authentication.html">Testing Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/test/web/csrf.html">Testing CSRF</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../../reactive/test/web/oauth2.html">Testing OAuth 2.0</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../../reactive/configuration/webflux.html">WebFlux Security</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Spring Security</span>
<span class="version">5.6.1</span>
</div>
<ul class="components">
<li class="component is-current">
<a class="title" href="../../../../index.html">Spring Security</a>
<ul class="versions">
<li class="version">
<a href="../../../../6.0/index.html">6.0.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../../../6.0.0-M3/index.html">6.0.0-M3</a>
</li>
<li class="version">
<a href="../../../../6.0.0-M2/index.html">6.0.0-M2</a>
</li>
<li class="version">
<a href="../../../../6.0.0-M1/index.html">6.0.0-M1</a>
</li>
<li class="version">
<a href="../../../../5.7/index.html">5.7.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../../../5.7.0-RC1/index.html">5.7.0-RC1</a>
</li>
<li class="version">
<a href="../../../../5.7.0-M3/index.html">5.7.0-M3</a>
</li>
<li class="version">
<a href="../../../../5.7.0-M2/index.html">5.7.0-M2</a>
</li>
<li class="version">
<a href="../../../../5.7.0-M1/index.html">5.7.0-M1</a>
</li>
<li class="version">
<a href="../../../../5.6.4/index.html">5.6.4-SNAPSHOT</a>
</li>
<li class="version is-latest">
<a href="../../../../index.html">5.6.3</a>
</li>
<li class="version">
<a href="../../../../5.6.2/index.html">5.6.2</a>
</li>
<li class="version is-current">
<a href="../../../index.html">5.6.1</a>
</li>
<li class="version">
<a href="../../../../5.6.0/index.html">5.6.0</a>
</li>
<li class="version">
<a href="../../../../5.6.0-RC1/index.html">5.6.0-RC1</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../../../index.html">Spring Security</a></li>
<li><a href="../../index.html">Servlet Applications</a></li>
<li><a href="../index.html">Appendix</a></li>
<li><a href="index.html">XML Namespace</a></li>
<li><a href="method-security.html">Method Security</a></li>
</ul>
</nav>
<div class="search">
<input id="search-input" type="text" placeholder="Search docs">
</div>
<div class="page-versions">
<button class="version-menu-toggle" title="Show other versions of page">5.6.1</button>
<div class="version-menu">
<a class="version" href="../../../../6.0/servlet/appendix/namespace/method-security.html">6.0.0-SNAPSHOT</a>
<a class="version" href="../../../../6.0.0-M3/servlet/appendix/namespace/method-security.html">6.0.0-M3</a>
<a class="version" href="../../../../6.0.0-M2/servlet/appendix/namespace/method-security.html">6.0.0-M2</a>
<a class="version" href="../../../../6.0.0-M1/servlet/appendix/namespace/method-security.html">6.0.0-M1</a>
<a class="version" href="../../../../5.7/servlet/appendix/namespace/method-security.html">5.7.0-SNAPSHOT</a>
<a class="version" href="../../../../5.7.0-RC1/servlet/appendix/namespace/method-security.html">5.7.0-RC1</a>
<a class="version" href="../../../../5.7.0-M3/servlet/appendix/namespace/method-security.html">5.7.0-M3</a>
<a class="version" href="../../../../5.7.0-M2/servlet/appendix/namespace/method-security.html">5.7.0-M2</a>
<a class="version" href="../../../../5.7.0-M1/servlet/appendix/namespace/method-security.html">5.7.0-M1</a>
<a class="version" href="../../../../5.6.4/servlet/appendix/namespace/method-security.html">5.6.4-SNAPSHOT</a>
<a class="version" href="../../../../servlet/appendix/namespace/method-security.html">5.6.3</a>
<a class="version" href="../../../../5.6.2/servlet/appendix/namespace/method-security.html">5.6.2</a>
<a class="version is-current" href="method-security.html">5.6.1</a>
<a class="version" href="../../../../5.6.0/servlet/appendix/namespace/method-security.html">5.6.0</a>
<a class="version is-missing" href="../../../../5.6.0-RC1/index.html">5.6.0-RC1</a>
</div>
</div>
<div class="edit-this-page"><a href="https://github.com/spring-projects/spring-security/blob/5.6.1/docs/modules/ROOT/pages/servlet/appendix/namespace/method-security.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<div class="admonitionblock important">
<table>
<tbody><tr>
<td class="icon">
<i class="fa icon-important" title="Important"></i>
</td>
<td class="content">
<div class="paragraph">
<p> For the latest stable version, please use <a href="../../../../servlet/appendix/namespace/method-security.html">Spring Security 5.6.3</a>!</p>
</div>
</td>
</tr></tbody>
</table>
</div>
<h1 id="page-title" class="page">Method Security</h1>
<div class="sect1">
<h2 id="nsa-method-security"><a class="anchor" href="method-security.html#nsa-method-security"></a>&lt;method-security&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This element is the primary means of adding support for securing methods on Spring Security beans.
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.</p>
</div>
<div class="sect2">
<h3 id="nsa-method-security-attributes"><a class="anchor" href="method-security.html#nsa-method-security-attributes"></a>&lt;method-security&gt; attributes</h3>
<div id="nsa-method-security-pre-post-enabled" class="ulist">
<ul>
<li>
<p><strong>pre-post-enabled</strong>
Enables Spring Security&#8217;s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context.
Defaults to "true".</p>
</li>
</ul>
</div>
<div id="nsa-method-security-secured-enabled" class="ulist">
<ul>
<li>
<p><strong>secured-enabled</strong>
Enables Spring Security&#8217;s @Secured annotation for this application context.
Defaults to "false".</p>
</li>
</ul>
</div>
<div id="nsa-method-security-jsr250-enabled" class="ulist">
<ul>
<li>
<p><strong>jsr250-enabled</strong>
Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context.
Defaults to "false".</p>
</li>
</ul>
</div>
<div id="nsa-method-security-proxy-target-class" class="ulist">
<ul>
<li>
<p><strong>proxy-target-class</strong>
If true, class based proxying will be used instead of interface based proxying.
Defaults to "false".</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-method-security-children"><a class="anchor" href="method-security.html#nsa-method-security-children"></a>Child Elements of &lt;method-security&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="http.html#nsa-expression-handler" class="xref page">expression-handler</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-global-method-security"><a class="anchor" href="method-security.html#nsa-global-method-security"></a>&lt;global-method-security&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This element is the primary means of adding support for securing methods on Spring Security beans.
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.</p>
</div>
<div class="sect2">
<h3 id="nsa-global-method-security-attributes"><a class="anchor" href="method-security.html#nsa-global-method-security-attributes"></a>&lt;global-method-security&gt; Attributes</h3>
<div id="nsa-global-method-security-access-decision-manager-ref" class="ulist">
<ul>
<li>
<p><strong>access-decision-manager-ref</strong>
Method security uses the same <code>AccessDecisionManager</code> configuration as web security, but this can be overridden using this attribute.
By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-authentication-manager-ref" class="ulist">
<ul>
<li>
<p><strong>authentication-manager-ref</strong>
A reference to an <code>AuthenticationManager</code> that should be used for method security.</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-jsr250-annotations" class="ulist">
<ul>
<li>
<p><strong>jsr250-annotations</strong>
Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed").
This will require the javax.annotation.security classes on the classpath.
Setting this to true also adds a <code>Jsr250Voter</code> to the <code>AccessDecisionManager</code>, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-metadata-source-ref" class="ulist">
<ul>
<li>
<p><strong>metadata-source-ref</strong>
An external <code>MethodSecurityMetadataSource</code> instance can be supplied which will take priority over other sources (such as the default annotations).</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-mode" class="ulist">
<ul>
<li>
<p><strong>mode</strong>
This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP.
Secured methods must be woven with the <code>AnnotationSecurityAspect</code> from the <code>spring-security-aspects</code> module.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>It is important to note that AspectJ follows Java&#8217;s rule that annotations on interfaces are not inherited.
This means that methods that define the Security annotations on the interface will not be secured.
Instead, you must place the Security annotation on the class when using AspectJ.</p>
</div>
<div id="nsa-global-method-security-order" class="ulist">
<ul>
<li>
<p><strong>order</strong>
Allows the advice "order" to be set for the method security interceptor.</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-pre-post-annotations" class="ulist">
<ul>
<li>
<p><strong>pre-post-annotations</strong>
Specifies whether the use of Spring Security&#8217;s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context.
Defaults to "disabled".</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-proxy-target-class" class="ulist">
<ul>
<li>
<p><strong>proxy-target-class</strong>
If true, class based proxying will be used instead of interface based proxying.</p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-run-as-manager-ref" class="ulist">
<ul>
<li>
<p><strong>run-as-manager-ref</strong>
A reference to an optional <code>RunAsManager</code> implementation which will be used by the configured <code>MethodSecurityInterceptor</code></p>
</li>
</ul>
</div>
<div id="nsa-global-method-security-secured-annotations" class="ulist">
<ul>
<li>
<p><strong>secured-annotations</strong>
Specifies whether the use of Spring Security&#8217;s @Secured annotations should be enabled for this application context.
Defaults to "disabled".</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-global-method-security-children"><a class="anchor" href="method-security.html#nsa-global-method-security-children"></a>Child Elements of &lt;global-method-security&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-after-invocation-provider">after-invocation-provider</a></p>
</li>
<li>
<p><a href="http.html#nsa-expression-handler" class="xref page">expression-handler</a></p>
</li>
<li>
<p><a href="method-security.html#nsa-pre-post-annotation-handling">pre-post-annotation-handling</a></p>
</li>
<li>
<p><a href="method-security.html#nsa-protect-pointcut">protect-pointcut</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-after-invocation-provider"><a class="anchor" href="method-security.html#nsa-after-invocation-provider"></a>&lt;after-invocation-provider&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This element can be used to decorate an <code>AfterInvocationProvider</code> for use by the security interceptor maintained by the <code>&lt;global-method-security&gt;</code> namespace.
You can define zero or more of these within the <code>global-method-security</code> element, each with a <code>ref</code> attribute pointing to an <code>AfterInvocationProvider</code> bean instance within your application context.</p>
</div>
<div class="sect2">
<h3 id="nsa-after-invocation-provider-parents"><a class="anchor" href="method-security.html#nsa-after-invocation-provider-parents"></a>Parent Elements of &lt;after-invocation-provider&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-global-method-security">global-method-security</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-after-invocation-provider-attributes"><a class="anchor" href="method-security.html#nsa-after-invocation-provider-attributes"></a>&lt;after-invocation-provider&gt; Attributes</h3>
<div id="nsa-after-invocation-provider-ref" class="ulist">
<ul>
<li>
<p><strong>ref</strong>
Defines a reference to a Spring bean that implements <code>AfterInvocationProvider</code>.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-pre-post-annotation-handling"><a class="anchor" href="method-security.html#nsa-pre-post-annotation-handling"></a>&lt;pre-post-annotation-handling&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Allows the default expression-based mechanism for handling Spring Security&#8217;s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely.
Only applies if these annotations are enabled.</p>
</div>
<div class="sect2">
<h3 id="nsa-pre-post-annotation-handling-parents"><a class="anchor" href="method-security.html#nsa-pre-post-annotation-handling-parents"></a>Parent Elements of &lt;pre-post-annotation-handling&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-global-method-security">global-method-security</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-pre-post-annotation-handling-children"><a class="anchor" href="method-security.html#nsa-pre-post-annotation-handling-children"></a>Child Elements of &lt;pre-post-annotation-handling&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-invocation-attribute-factory">invocation-attribute-factory</a></p>
</li>
<li>
<p><a href="method-security.html#nsa-post-invocation-advice">post-invocation-advice</a></p>
</li>
<li>
<p><a href="method-security.html#nsa-pre-invocation-advice">pre-invocation-advice</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-invocation-attribute-factory"><a class="anchor" href="method-security.html#nsa-invocation-attribute-factory"></a>&lt;invocation-attribute-factory&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.</p>
</div>
<div class="sect2">
<h3 id="nsa-invocation-attribute-factory-parents"><a class="anchor" href="method-security.html#nsa-invocation-attribute-factory-parents"></a>Parent Elements of &lt;invocation-attribute-factory&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-pre-post-annotation-handling">pre-post-annotation-handling</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-invocation-attribute-factory-attributes"><a class="anchor" href="method-security.html#nsa-invocation-attribute-factory-attributes"></a>&lt;invocation-attribute-factory&gt; Attributes</h3>
<div id="nsa-invocation-attribute-factory-ref" class="ulist">
<ul>
<li>
<p><strong>ref</strong>
Defines a reference to a Spring bean Id.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-post-invocation-advice"><a class="anchor" href="method-security.html#nsa-post-invocation-advice"></a>&lt;post-invocation-advice&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Customizes the <code>PostInvocationAdviceProvider</code> with the ref as the <code>PostInvocationAuthorizationAdvice</code> for the &lt;pre-post-annotation-handling&gt; element.</p>
</div>
<div class="sect2">
<h3 id="nsa-post-invocation-advice-parents"><a class="anchor" href="method-security.html#nsa-post-invocation-advice-parents"></a>Parent Elements of &lt;post-invocation-advice&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-pre-post-annotation-handling">pre-post-annotation-handling</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-post-invocation-advice-attributes"><a class="anchor" href="method-security.html#nsa-post-invocation-advice-attributes"></a>&lt;post-invocation-advice&gt; Attributes</h3>
<div id="nsa-post-invocation-advice-ref" class="ulist">
<ul>
<li>
<p><strong>ref</strong>
Defines a reference to a Spring bean Id.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-pre-invocation-advice"><a class="anchor" href="method-security.html#nsa-pre-invocation-advice"></a>&lt;pre-invocation-advice&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Customizes the <code>PreInvocationAuthorizationAdviceVoter</code> with the ref as the <code>PreInvocationAuthorizationAdviceVoter</code> for the &lt;pre-post-annotation-handling&gt; element.</p>
</div>
<div class="sect2">
<h3 id="nsa-pre-invocation-advice-parents"><a class="anchor" href="method-security.html#nsa-pre-invocation-advice-parents"></a>Parent Elements of &lt;pre-invocation-advice&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-pre-post-annotation-handling">pre-post-annotation-handling</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-pre-invocation-advice-attributes"><a class="anchor" href="method-security.html#nsa-pre-invocation-advice-attributes"></a>&lt;pre-invocation-advice&gt; Attributes</h3>
<div id="nsa-pre-invocation-advice-ref" class="ulist">
<ul>
<li>
<p><strong>ref</strong>
Defines a reference to a Spring bean Id.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-protect-pointcut"><a class="anchor" href="method-security.html#nsa-protect-pointcut"></a>Securing Methods using</h2>
<div class="sectionbody">
<div class="paragraph">
<p><code>&lt;protect-pointcut&gt;</code>
Rather than defining security attributes on an individual method or class basis using the <code>@Secured</code> annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the <code>&lt;protect-pointcut&gt;</code> element.
You can find an example in the <a href="../../authorization/method-security.html#ns-protect-pointcut" class="xref page">namespace introduction</a>.</p>
</div>
<div class="sect2">
<h3 id="nsa-protect-pointcut-parents"><a class="anchor" href="method-security.html#nsa-protect-pointcut-parents"></a>Parent Elements of &lt;protect-pointcut&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-global-method-security">global-method-security</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-protect-pointcut-attributes"><a class="anchor" href="method-security.html#nsa-protect-pointcut-attributes"></a>&lt;protect-pointcut&gt; Attributes</h3>
<div id="nsa-protect-pointcut-access" class="ulist">
<ul>
<li>
<p><strong>access</strong>
Access configuration attributes list that applies to all methods matching the pointcut, e.g.
"ROLE_A,ROLE_B"</p>
</li>
</ul>
</div>
<div id="nsa-protect-pointcut-expression" class="ulist">
<ul>
<li>
<p><strong>expression</strong>
An AspectJ expression, including the <code>execution</code> keyword.
For example, <code>execution(int com.foo.TargetObject.countLength(String))</code>.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-intercept-methods"><a class="anchor" href="method-security.html#nsa-intercept-methods"></a>&lt;intercept-methods&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean&#8217;s methods</p>
</div>
<div class="sect2">
<h3 id="nsa-intercept-methods-attributes"><a class="anchor" href="method-security.html#nsa-intercept-methods-attributes"></a>&lt;intercept-methods&gt; Attributes</h3>
<div id="nsa-intercept-methods-access-decision-manager-ref" class="ulist">
<ul>
<li>
<p><strong>access-decision-manager-ref</strong>
Optional AccessDecisionManager bean ID to be used by the created method security interceptor.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-intercept-methods-children"><a class="anchor" href="method-security.html#nsa-intercept-methods-children"></a>Child Elements of &lt;intercept-methods&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-protect">protect</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-method-security-metadata-source"><a class="anchor" href="method-security.html#nsa-method-security-metadata-source"></a>&lt;method-security-metadata-source&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Creates a MethodSecurityMetadataSource instance</p>
</div>
<div class="sect2">
<h3 id="nsa-method-security-metadata-source-attributes"><a class="anchor" href="method-security.html#nsa-method-security-metadata-source-attributes"></a>&lt;method-security-metadata-source&gt; Attributes</h3>
<div id="nsa-method-security-metadata-source-id" class="ulist">
<ul>
<li>
<p><strong>id</strong>
A bean identifier, used for referring to the bean elsewhere in the context.</p>
</li>
</ul>
</div>
<div id="nsa-method-security-metadata-source-use-expressions" class="ulist">
<ul>
<li>
<p><strong>use-expressions</strong>
Enables the use of expressions in the 'access' attributes in &lt;intercept-url&gt; elements rather than the traditional list of configuration attributes.
Defaults to 'false'.
If enabled, each attribute should contain a single Boolean expression.
If the expression evaluates to 'true', access will be granted.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-method-security-metadata-source-children"><a class="anchor" href="method-security.html#nsa-method-security-metadata-source-children"></a>Child Elements of &lt;method-security-metadata-source&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-protect">protect</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="nsa-protect"><a class="anchor" href="method-security.html#nsa-protect"></a>&lt;protect&gt;</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Defines a protected method and the access control configuration attributes that apply to it.
We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".</p>
</div>
<div class="sect2">
<h3 id="nsa-protect-parents"><a class="anchor" href="method-security.html#nsa-protect-parents"></a>Parent Elements of &lt;protect&gt;</h3>
<div class="ulist">
<ul>
<li>
<p><a href="method-security.html#nsa-intercept-methods">intercept-methods</a></p>
</li>
<li>
<p><a href="method-security.html#nsa-method-security-metadata-source">method-security-metadata-source</a></p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="nsa-protect-attributes"><a class="anchor" href="method-security.html#nsa-protect-attributes"></a>&lt;protect&gt; Attributes</h3>
<div id="nsa-protect-access" class="ulist">
<ul>
<li>
<p><strong>access</strong>
Access configuration attributes list that applies to the method, e.g.
"ROLE_A,ROLE_B".</p>
</li>
</ul>
</div>
<div id="nsa-protect-method" class="ulist">
<ul>
<li>
<p><strong>method</strong>
A method name</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<nav class="pagination">
<span class="prev"><a href="http.html">Web Security</a></span>
<span class="next"><a href="ldap.html">LDAP Security</a></span>
</nav>
</article>
</div>
</main>
</div>
<footer class="footer flex">
<div id="spring-links flex">
<img id="springlogo" src="../../../../_/img/spring-logo.svg" alt="Spring">
<p class="smallest antialiased">© <script>var d = new Date();
        document.write(d.getFullYear());</script> <a href="https://www.vmware.com/">VMware</a>, Inc. or its affiliates. <a href="https://www.vmware.com/help/legal.html">Terms of Use</a> • <a href="https://www.vmware.com/help/privacy.html" rel="noopener noreferrer">Privacy</a> • <a href="https://spring.io/trademarks">Trademark Guidelines</a> <span id="thank-you-mobile">• <a href="https://spring.io/thank-you">Thank you</a></span> • <a href="https://www.vmware.com/help/privacy/california-privacy-rights.html">Your California Privacy Rights</a> • <a class="ot-sdk-show-settings">Cookie Settings</a> <span id="teconsent"></span></p>
<p class="smallest antialiased">Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra&trade;, and Apache Geode&trade; are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java&trade;, Java&trade; SE, Java&trade; EE, and OpenJDK&trade; are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.</p>
</div>
<div id="social-icons" class="flex jc-between">
<a href="https://www.youtube.com/user/SpringSourceDev" title="Youtube"><svg id="youtube-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 40 40"><circle class="cls-1" cx="20" cy="20" r="20" /><path class="cls-2" d="M30.91,14.53a2.89,2.89,0,0,0-2-2C27.12,12,20,12,20,12s-7.12,0-8.9.47a2.9,2.9,0,0,0-2,2A30.56,30.56,0,0,0,8.63,20a30.44,30.44,0,0,0,.46,5.47,2.89,2.89,0,0,0,2,2C12.9,28,20,28,20,28s7.12,0,8.9-.47a2.87,2.87,0,0,0,2-2A30.56,30.56,0,0,0,31.37,20,28.88,28.88,0,0,0,30.91,14.53ZM17.73,23.41V16.59L23.65,20Z" /></svg></a>
<a href="https://github.com/spring-projects" title="Github"><svg id="github-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><path class="cls-1" d="M38,0a38,38,0,1,0,38,38A38,38,0,0,0,38,0Z" /></g><path class="cls-2" d="M38,15.59A22.95,22.95,0,0,0,30.71,60.3c1.15.21,1.57-.5,1.57-1.11s0-2,0-3.9c-6.38,1.39-7.73-3.07-7.73-3.07A6.09,6.09,0,0,0,22,48.86c-2.09-1.42.15-1.39.15-1.39a4.81,4.81,0,0,1,3.52,2.36c2,3.5,5.37,2.49,6.67,1.91a4.87,4.87,0,0,1,1.46-3.07c-5.09-.58-10.45-2.55-10.45-11.34a8.84,8.84,0,0,1,2.36-6.15,8.29,8.29,0,0,1,.23-6.07s1.92-.62,6.3,2.35a21.82,21.82,0,0,1,11.49,0c4.38-3,6.3-2.35,6.3-2.35a8.29,8.29,0,0,1,.23,6.07,8.84,8.84,0,0,1,2.36,6.15c0,8.81-5.37,10.75-10.48,11.32a5.46,5.46,0,0,1,1.56,4.25c0,3.07,0,5.54,0,6.29s.42,1.33,1.58,1.1A22.94,22.94,0,0,0,38,15.59Z" /></svg></a>
<a href="https://twitter.com/springcentral" title="Twitter"><svg id="twitter-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><circle class="cls-1" cx="37.97" cy="37.97" r="37.97" /><path id="Twitter-2" data-name="Twitter" class="cls-2" d="M55.2,22.73a15.43,15.43,0,0,1-4.88,1.91,7.56,7.56,0,0,0-5.61-2.49A7.78,7.78,0,0,0,37,30a7.56,7.56,0,0,0,.2,1.79,21.63,21.63,0,0,1-15.84-8.23,8,8,0,0,0,2.37,10.52,7.66,7.66,0,0,1-3.48-1v.09A7.84,7.84,0,0,0,26.45,41a7.54,7.54,0,0,1-2,.28A7.64,7.64,0,0,1,23,41.09a7.71,7.71,0,0,0,7.18,5.47,15.21,15.21,0,0,1-9.55,3.37,15.78,15.78,0,0,1-1.83-.11,21.41,21.41,0,0,0,11.78,3.54c14.13,0,21.86-12,21.86-22.42,0-.34,0-.68,0-1a15.67,15.67,0,0,0,3.83-4.08,14.9,14.9,0,0,1-4.41,1.24A7.8,7.8,0,0,0,55.2,22.73Z" /></svg></a>
</div>
</footer>
<script src="../../../../_/js/site.js"></script>
<script async src="../../../../_/js/vendor/highlight.js"></script>
<script async src="../../../../_/js/vendor/tabs.js"></script>
<script src="../../../../_/js/vendor/switchtheme.js"></script>
<script src="../../../../_/js/vendor/docsearch.min.js"></script>

<script>
var search = docsearch({
  appId: '244V8V9FGG',
  apiKey: '82c7ead946afbac3cf98c32446154691',
  indexName: 'security-docs',
  inputSelector: '#search-input',
  autocompleteOptions: { hint: false, keyboardShortcuts: ['s'] },
  algoliaOptions: { hitsPerPage: 10 }
}).autocomplete
search.on('autocomplete:closed', function () { search.autocomplete.setVal() })
</script>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"702e3836e87f96ab","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
